Forum Discussion
Outlook login issues with WVD - FSLogix
DAsnow this scenario isn't ringing a bell in terms of a common scenario, probably best to contact support on this.
Following fix in place at the moment:
Create GPO to add the following Registry key or manually create:
HKEY_LOCAL_MACHINE\Software\FSlogix\Profiles
KeepLocalDir DWORD 1
Then add a "redirections.xml" file in the following location of each user:
c:\users\%username%\AppData\Local\FSLogix
The redirection only works when the file is present upon logon so do a logoff/logon afterwards or inject into the dormant profile.
Contents of redirections.xml file:
<?xml version="1.0" encoding="UTF-8"?><FrxProfileFolderRedirection>
<Excludes>
<Exclude Copy="0">AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy</Exclude>
<Exclude Copy="0">AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy</Exclude>
<Exclude Copy="0">AppData\Local\Microsoft\TokenBroker</Exclude>
</Excludes>
</FrxProfileFolderRedirection>
You will have to enter credentials on EACH Session Host ONCE but after that you can move between hosts without any issue.
The theory of this fix:
Modern Authentication works with Tokens. Those tokens contain the Device ID. Storing them in FSLogix breaks them because the Device ID contained in them no longer matches. The fix pushes those tokens out of the FSLogix container to a local_username folder and no longer deletes that folder upon logoff from the machine. Once you have a working token on each host it will refresh if needed but it no longer breaks. Hope this helps because MS was clueless after spending a few weeks with the FSLogix/Office teams.
- Only one customer got issues while we have multiple setups like this
- Only happens after password change (in our case)
- I dont see this issue on VDI while they change desktops every day
Only difference is that some users got multiple accounts in outlook from different tenants, but also see this happen with users that got a single account after changing password.
- Hi Kevin,
SSO works even when Outlook is broken, customer got Mutiple hosts and some users mutiple O365 accounts from different tenants. But we also see outlook broken issues with the users that
dont have the second tenant account added.
Outlook breaks after user change password (They needed to change password every 42 days).
Looks like they need to set new password / token on both RD-Host servers.
We see logs in Azure AD like
"The provided grant has expired due to it being revoked, a fresh auth token is needed. The user might have changed or reset their password. The grant was issued on '{authTime}' and the TokensValidFrom date (before which tokens are not valid) for this user is '{validDate}'."
Expected part of the token lifecycle - either an admin or a user revoked the tokens for this user, causing subsequent token refreshes to fail and require re-authentication. Have the user sign-in again.
Error code: 50173
Next test case will be to extend the password change to 365 and see if it still happen. Token refresh is 90 days i understand. There are more than 1 reason why Modern Authentication can break. My situation and the fix is very specific:
The use-case is multiple Hosts AND multiple O365 accounts (or an O365 account that isn't covered by SSO)
In VDI and almost any setup you should have SSO configured which handles the primary O365 account. If it "breaks" by moving to another VM, SSO kicks in and repairs it without the user ever noticing.
My fix is only intended if both conditions are met: Multiple hosts and multiple O365 accounts.
If you are having issues with Modern Auth and those conditions are not met I suggest looking at SSO which may not be configured or may not function as desired. Seems like the case with the changing password issue. Your local AD may not be in sync with AAD.